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1 .  Introduction 

Consider  a  distributed  mutual  exclusion  algorithm  for  processes  arranged  in  a  ring  network  in  which  mutual 
exclusion  is  guaranteed  by  means  of  a  token  that  is  passed  around  the  ring  ( [(>].  (ID).  [12]).  How  can  we 
determine  that  such  a  system  of  processes  is  correct?  Our  first  attempt  might  be  to  consider  a  reduced  system 
with  one  or  two  processes.  If  we  can  show  that  the  reduced  system  is  correct  and  if  the  mdi\ idual  processes  are 
really  identical,  then  we  are  tempted  to  conclude  that  the  entire  system  will  be  correct.  In  fact,  this  type  of 
informal  argument  is  used  quite  frequently  by  designers  in  constructing  systems  that  contain  large  numbers  of 
identical  processing  elements.  Of  course,  it  is  easy  to  contrite  an  example  in  which  some  pathological  be¬ 
havior  only  occurs  when,  say,  100  processes  are  connected  together.  By  examining  a  system  with  only  one  or 
two  processes  it  might  even  be  quite  difficult  to  determine  that  this  behavior  is  possible.  Nevertheless,  one 
has  die  feeling  that  in  many  cases  this  kind  of  intuitive  reasoning  docs  lead  to  correct  results.  The  question 
dial  we  address  in  this  paper  is  whether  it  is  possible  to  provide  a  solid  theoretical  basis  dial  will  prevent 
fallacious  conclusions  in  arguments  of  this  type. 

In  addition  to  providing  a  firm  basis  for  a  common  type  of  informal  reasoning,  our  results  are  crucial  for  the 
success  of  automatic  verification  methods  dial  involve  temporal  logic  model  checking  (  [4],  (1 1],  [14],  [16]). 
Ihesc  techniques  check  that  a  finite-state  concurrent  system  satisfies  a  temporal  logic  formula  by  searching  all 
possible  paths  in  the  global  state  graph  determined  by  the  concurrent  system.  Ihey  have  been  used  success¬ 
fully  to  find  subtle  errors  in  tricky  self-timed  circuits- -errors  that  were  apparently  unknow  n  to  the  designers  of 
die  circuits  (  [3],  [5]).  Although  model  checking  is  linear  in  the  si/c  of  the  global  suite  graph,  the  number  of 
suites  in  die  graph  may  be  exponential  in  the  number  of  processes.  We  call  diis  problem  die  state  explosion 
phenomenon.  By  using  the  results  of  this  paper,  model  checking  may  become  feasible  for  networks  with  large 
numbers  of  identical  processes,  thus  extending  the  usefulness  of  this  verification  method  considerably. 

The  logic  that  we  use  for  specification  is  based  on  compuuition  trees  and  is  called  Indexed  CTL  .  or  ICTL  . 
It  includes  all  of  CT1.  ( [4],  [7])  with  the  exception  of  the  nexttime  operator  and  can.  therefore.  handle  both 
linear  and  branching  umc  properties  with  equal  facility.  Typical  operators  include  AG  /  which  will  hold  in  a 
suite  provided  that  /holds  globally  along  all  possible  compuuition  paths  suirting  from  that  state  and  AF  / 
which  will  hold  in  a  suite  provided  that  /eventually  holds  along  all  compuuition  paths.  In  addition,  our  logic 
permits  formulas  of  the  form  A  j\i)  and  V/fi)  where  /(/)  is  a  formula  of  our  logic.  The  subformula  f[  i)  is 

l  l 

called  a  generic  formula;  all  of  the  atomic  propositions  that  appear  within  it  must  be  subscripted  by  /.  A 
formula  of  our  logic  is  said  to  be  closed  if  all  indexed  propositions  arc  w  ithin  the  scope  of  either  a  A  or  V  . 

i  i 

A  model  for  our  logic  is  a  labelled  suite  transition  graph  or  Knpke  structure  that  represents  the  possible 
global  suite  transitions  of  some  finite-state  concurrent  system.  For  a  family  of  ,V  identical  processes  this  state 
graph  may  be  obtained  as  a  composition  of  the  suite  graphs  of  the  indiv  idual  processes.  Instances  of  the  same 
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atomic  proposition  in  different  processes  are  distinguished  by  using  the  number  of  the  process  as  a  subscript ; 
thus.  A  represents  die  instance  of  atomic  proposition  A  associated  with  process  5. 

Since  a  closed  formula  of  our  logic  cannot  contain  any  atomic  propositions  with  constant  index  values,  it  is 
impossible  to  refer  to  a  specific  process  by  writing  such  a  formula.  Hence,  changing  the  number  of  processes 
in  a  family  of  identical  processes  should  not  effect  die  truth  of  a  formula  in  our  logic.  We  make  this  intuitive 
idea  precise  by  introducing  a  new  notion  of  bisimu'uuiun[  13]  between  two  Kripke  structures  with  die  same  set 
of  indexed  propositions  but  different  sets  of  index  values.  We  dicn  show  that  if  two  structures  correspond  in 
diis  manner,  a  closed  formula  of  Indexed  CTI.  will  be  true  in  the  initial  state  ot  one  it  and  only  if  it  is  true  in 
the  initial  state  of  the  other. 

We  illustrate  these  ideas  by  considering  a  distributed  mutual  exclusion  ulcoridim  like  the  one  mentioned 
above.  We  assume  that  the  atomic  propositon  c  is  true  when  die  /- di  process  is  in  us  critical  region,  and  that 
the  atomic  proposition  d  is  true  when  the  rth  purccss  is  delayed  waiting  to  enter  its  critical  region.  A  typical 
requirement  for  such  a  system  is  that  a  process  waiting  to  enter  its  critical  region  will  eventually  enter  the 
critical  region.  This  condition  is  easily  expressed  in  our  logic  by  die  formula 

A  \G(d  =>  AFc^. 

By  using  our  results  it  is  possible  to  show  that  exactly  the  same  formulas  of  our  logic  hold  in  a  network  with 
1000  processes  as  hold  in  a  network  with  two  processes!  We  can  use  one  of  die  temporal  logic  model  checking 
algorithms  to  automatically  check  that  die  above  formula  holds  in  networks  of  si/e  two  and  conclude  that  it 
will  also  hold  in  networks  of  size  1000.  Although  this  example  is  quite  simple,  it  should  suggest  many 
potential  applications  for  the  results  of  our  paper. 

Brookes  and  Rounds  [2J,  Hcnncssy  and  Milner  (9j.  and  Graf  and  Sifakis  [8]  have  all  investigated  the 
relationship  between  temporal  logic  and  various  notions  of  bisimulation  among  concurrent  programs. 
However,  none  of  the  logics  in  their  papers  have  operators  that  permit  assertions  about  large  numbers  of 
similar  processes:  consequently,  their  results  arc  not  directly  useful  in  solving  die  problem  that  we  address  in 
this  paper.  Kurshan  [10]  has  studied  the  state  explosion  problem  in  the  context  of  an  automatic  protocol 
verification  system  being  developed  at  Bell  Labs.  In  his  system,  protocols  are  verified  by  showing  inclusion 
between  two  finite-state  machines,  one  representing  die  protocol  under  study  and  one  representing  its 
specification.  The  state  explosion  problem  is  handled  by  using  a  homomorphisms  to  collapse  a  large  suite 
machine  into  a  much  smaller  one  while  preserving  those  properties  dial  are  important  for  verification  Since 
Kurshan  does  not  use  temporal  logic  formulas  for  specification,  he  has  no  analogue  of  our  indexed  formulas 
or  of  our  correspondence  theorem.  In  [15]  Rcif  and  Sistla  describe  a  logic  that  has  spatial  as  well  as  temporal 
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operators.  I  he  spatial  operators  can  range  oxer  the  processes  in  a  concurrent  program  and  express  properties 
similar  to  those  expresed  by  our  indexed  formulas.  However,  they  do  not  provide  a  way  of  collapsing  large 
machines  into  smaller  ones,  and  even  die  proposition.il  version  of  their  logic  is  undecidahle.  Wolpcr  also 
considers  a  similar  logic  for  reasoning  about  programs  that  are  dam-independent  [1'j;  however,  his  indexed 
variables  range  over  data  elements,  while  ours  range  over  processes.  Also,  there  is  no  notion  of  correspon¬ 
dence  between  stnicturcs  in  his  work.  Some  limitations  on  the  type  of  reasoning  that  we  propose  are 
discussed  in  Apt  and  Kozcn  [1], 

Our  paper  is  organized  as  follows:  In  Section  2  we  introduce  the  basic  temporal  logic  C 11.  .  In  section  3  we 

state  the  notion  of  correspondence  or  bisimulation  that  wc  use  between  two  finite-state  machines.  We  also 

prove  that  tJiis  notion  of  bisimulation  preserves  the  truth  of  C'l  1.  formulas.  In  section  4  we  extend  CTL*  to 

include  formulas  of  the  form  A  /(; )  and  V  /(;)  as  explained  above.  We  also  extend  our  notion  of  correspon- 

11 

dcnce  and  show  that  corresponding  stnicturcs  satisfy  the  same  indexed  C  1 1.  formulas.  Section  5  illustrates 
how  the  ideas  in  this  paper  can  be  applied  to  a  concrete  example,  the  distributed  mutual  exclusion  algorithm 
discussed  earlier.  Ihe  paper  ends  in  Section  6  with  some  suggestions  for  possible  extensions. 

2.  The  Logic  CTL* 

There  are  two  types  of  formulas  in  CTL*:  state  formulas  (which  arc  true  in  a  specific  state)  and  path 
formulas  (which  arc  true  along  a  specific  path).  Let  AP  be  the  set  of  atomic  proposition  names.  A  state 
formula  is  either: 

•  A,  if  At.  AP. 

•  If/  and  g  are  state  formulas,  then  ->f  and  fvg  arc  state  formulas. 

•  If  /  is  a  path  formula,  then  E(/)  is  a  state  formula. 

A  path  formula  is  either: 

•  A  state  formula. 

•  If  /  and  g  are  path  formulas,  then  ->/  fvg  .  and  fUg  are  path  formulas. 

CTL  is  die  set  of  state  formulas  generated  by  the  above  rules. 

W'e  define  the  semantics  of  CTL*  with  respect  to  a  structure  M  =  <S.  R.  1 ,  5o>,  where 

•  S  is  a  set  of  states. 

•  /fC.Vx.V  is  the  transition  relation,  which  must  be  total.  We  write  s  — *  s.  to  indicate  that  (5^5, ) €  R. 

•  i.:  .V  — *  9(  AP)  is  the  proposition  labeling 

•  r  is  the  initial  state. 
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We  define  a  path  in  M  to  be  a  sequence  of  suites,  it  =  . . .  such  that  for  every  ;>0.  j  -»  sj+  .  tt1  will 

denote  the  sujjfix  of  v  starting  at  j 

We  use  the  standard  notation  to  indicate  tliat  a  suite  formula  /  holds  in  a  structure:  l/.s  l=/meuns  that  / 
holds  at  suite  a  in  structure  M.  Similarly,  if  /  is  a  path  formula,  M.v  N=  /  means  that  /  holds  along  path  v  in 
structure  V.  Ihe  relation  b=  is  defined  inductively  as  follows  (assuming  that/ and  /are  slate  formulas  and 
g  and  g ,  arc  path  formulas): 

1.5b=/l  <=>  ,4eJl(s), 

2.  at=  -i/J  «  sW*fv 

3.5 «  at=^or5)=j^. 

4.  s  N=  Efgj)  «=>  there  exists  a  path  w  suirting  with  s 

such  that  it  N 

5.  ttN/J  <=>  a  is  die  first  suite  of  v  and  sN/J. 

6.  it  -ifj  »  ir&zgv 

7.  irf=g,vg2  c=»  w  gt  or  w  1=  gr 

8.  v  t=  g.L'g,  »  there  exists  a  k  >0  such  that  vk h=  g^ 

and  for  all  0  <  j<  k,  7^1=  g,. 

We  w ill  also  use  the  following  abbreviations  in  writing  CTI.*  formulas: 

•  /Ag  =  '->£)  *  F/ =  irueVf 

.  A</)  =  -T.(-/)  #G/s-F-./. 

We  have  omitted  the  nexttime  operator,  since  it  can  be  used  to  count  the  number  of  processes.  For 
example,  consider  a  ring  of  processes  that  pass  around  a  token.  If  r,  is  true  when  process  1  has  the  token,  then 
using  the  nexttime  operator  X, 

AGh,  =»  (XXX/j)) 

says  that  whenever  process  1  gets  the  token  it  will  receive  it  ag3in  in  exactly  three  steps.  Ihis  is  only  true  if  the 
ring  has  exactly  three  processes. 

3.  Correspondence  of  Structures 

Wc  want  to  be  able  to  define  a  correspondence  (or  bisimulation)  between  two  structures,  W  and  A /  such 
that  if  the  structures  correspond,  then  one  structure  satisfies  a  CTI .  formula  if  and  only  if  the  other  satisfies  it 
as  well.  There  may  be  a  portion  of  a  path  along  which  several  consecutive  states  are  all  labelled  by  the  same 
set  of  propositions.  Wc  will  call  such  a  sequence  of  states  a  block.  Since  CTI.  has  no  nexttime  operator,  it  is 


V-  ^.-vV\ 
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impossible  to  differentiate  between  a  single  state  and  a  block  with  the  same  labeling  as  die  state.  However, 
when  w'c  correspond  a  state  w  ith  a  block,  we  must  insure  that  the  block  is  finite.  I  herefore.  we  define  a  finite 
correspondence  relation.  /.'CZ.V  x.V.xlN  which  is  total  for  both  V  and  .S',.  Intuitive!),  (s  .s'.k)  is  in  E  if  state  s 
behaves  like  state  s'  and  k  is  an  upper  bound  on  die  si/e  of  die  block  dint  will  correspond  to  s'  (or  s ).  We  will 
call  k  the  degree  of  the  correspondence. 

We  w  ill  write  sEk  s'  to  denote  (s.s'.k)c  E.  Also,  we  will  say  that  two  structures.  M  and  A/,,  correspond  if 
diere  is  a  correspondence  relation  /.’  between  die  two  structures.  Formally.  E  is  a  correspondence  relation  if 
the  following  conditions  are  satisfied: 

1.  sluEk  s:0  for  some  A:  €  IN.  ('Hie  iniual  states  should  behave  similarly.) 

2.  For  every  sc.  S  and  s'  c  S  such  that  sEk  s': 

a.  For  every  A  c  AP,st=  A<=>  s'  N  A.  ('["he  proposition  labelings  arc  the  same.) 

b.  3s(  [s'  — +  s^  Asl:vs[  ]v 

Vsjs— ►  s.  =>  (s^:'  s'  v3s[  [s'— *  s(  A s(  Ews\  ])] 
where  0  <  v  <  k  and  w>  0. 

c.  3s  [s—*  s,A  si£vs']v 

Vsf  [s'—  s'  =>(sEvs\  v3si[s-s1Asi£"vs[])] 
where  0  <v<k  and  w>0. 

We  will  write  s  E  s'  to  indicate  that  there  exists  a  k  such  that  (s.s'.k)e  E.  Furthermore,  if  B  and  B'  are 
sequences  of  states,  we  will  write  BF.B'  to  indicate  that  every  state  in  B  corresponds  to  every  state  in  B'. 

We  will  say  that  two  states  exactly  match  if  for  every  successor  of  one  state,  there  is  a  corresponding 
successor  of  the  other  and  vice  versa.  The  above  definition  insures  an  exact  match  between  two  states  if  they 
correspond  with  degree  0.  For  example  in  Figure  3-1,  state  s,  exactly  matches  state  s’’’  ,  so  these  states  can 
correspond  with  degree  0.  If  two  corresponding  states  don’t  exactly  match,  then  the  degree  of  die  correspon¬ 
dence  sets  an  upper  bound  on  the  number  of  transitions  unul  an  exact  match  is  reached.  In  the  figure,  state 
can  reach  an  exact  match  with  s[  within  2  transitions,  so  these  two  states  can  correspond  w  ith  degree  2. 

We  use  diis  intuition  to  prove  the  following  lemma: 

I.emma  1:  Let  M  and  ,U;  be  two  structures  that  correspond.  Then,  for  every  (s.s' )(.  1  and  for  every  path  it  in 
M  that  starts  in  s.  there  is  a  path  it'  in  M.  that  shirts  in  s',  a  partition  of  v  (BJf  . . . ).  and  a  partition  of 
7 r '  ( /?'  /?;  . . . )  such  that  for  all  j.  B '  E  Bj  and  either 


Figure  3-1:  An  illustration  of  Corresponding  Structures 
I.  \Bj\  =  I  and  B'  is  finite,  or 

2  |  S'  1  -  /  and  B ^  is  finite. 

Moreover,  for  every  path  v'  in  M„  there  is  a  path  w  in  3/,  and  partitions  of  both  paths  that  satisfy  similar 

conditions. 

Proof:  We  will  prove  this  by  induction  on  the  length  of  it. 

Base:  w  is  of  length  1,  so  v  =  j.  Let  S,  =  <s>,  w '  =  s' ,  and  S'  =  <s'  >. 

Induction:  Let  v  =  s  s  ...  s  By  the  inductive  hypothesis.  there  is  a  partition  of  it,  B  B, .  . .  B,,  a  path  n'm 

,Vf2,  and  a  partition  of  w',  Bf  B;  .  .  .  BJ  such  that  BE  B'  for  1  <j<l.  Now  we  want  to  show  that  if  we 

lengthen  n  by  adding  some  j  such  that  sn—  the  lemma  still  holds. 

Since  j  is  the  last  state  of  n,  it  must  be  in  the  last  block  B„  so  there  must  be  a  k  such  that  5  Ek  last(Bl ). 
We  will  prove  by  induction  on  k  that  it  is  possible  to  extend  n '  as  required. 

The  basis  for  the  second  induction  is  5  £°  last!  S' ).  By  the  definition  of  E°.  here  exists  a  h  such  that 

7)  ‘  * 

hst(B'i)  A s  EwsJl  for  some  *>0.  Wc  can  extend  the  partitions  of  w  and  w'by  defining 

B,  =<s  >  and  BL ,  =<h  >.  Therefore,  the  basis  case  is  true. 
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For  the  inductive  step,  the  definition  of  /  has  three  cases: 

1.  3  s'  [last(  H'i )  — *  A  sn  + 1 /.' "  s'  ]  for  some  w>  0. 

This  case  is  the  same  as  the  base  case. 

2.  3s'  [last(/?/ )  — *  s'  A  s^  /:' '  s'  ]  for  some  0  <  v<  k. 

If  |  /?.  I  1.  we  can  remove  the  last  state,  s  from  /?,.  I.et  B,  be  B.  with  s  removed./?,  =<s  >. 
and  Z?/+ ,  =<s'  >.  On  the  other  hand,  if \B}\ -  1,  we  can  simply  add  s'  to/?/.  In  both  cases,  since 
the  degree  of  correspondence  between  sn  and  s(  is  less  titan  k.  by  tine  inductive  hypothesis,  we  can 
extend  -n '  appropriately. 

3.  sn+  Ev  last(5/ )  for  some  0 <v<k. 

To  begin  with,  if  |  ll\  \  ^  1,  we  can  remove  the  last  element  of  and  put  it  into  a  new  block  of  the 
partition.  Let  be  B',  without  the  last  element,  B',.  ,  =<last(/?;  )>,  and  B,  =<s  >.  These 

1  1  it i  i  /+i  n+l 

partitions  satisfy  the  lemma. 

On  die  other  hand,  if  |/?J  |  =  1,  we  can  simply  add  s^+i  to  Br  Therefore,  the  lemma  holds  for  this 
case. 

It  is  also  necessary  to  show  that  all  of  the  blocks  in  this  construction  are  finite.  This  problem  may  arise  in 
the  second  and  the  third  case,  where  we  might  add  an  infinite  number  of  states  to  B\  (or  B{).  However,  since 
the  degree  of  the  correspondence  between  the  states  in  B’[  (B;)  and  the  state  in  B{  (B])  is  decreasing  and 
cannot  be  less  than  zero,  these  constructions  will  only  apply  a  finite  number  of  times.  Hence,  only  a  finite 
number  of  states  will  be  added  to  the  last  block,  so  it  must  be  finite. 

Given  w'in  Mr  we  can  use  the  same  argument  to  show  the  existence  of  v  in  A/  and  the  corresponding 
partitions.  Therefore,  the  lemma  holds.  □ 

We  now  prove  the  CTL  correspondence  theorem : 

Theorem  2:  Let  M  and  A/,  be  two  structures  that  correspond.  Then  for  all  h  e  CTL  , 

Mvs\  k=/i«  A/Jtsj  \=h. 

This  theorem  is  a  consequence  of  the  following  lemma: 
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lemma  3:  I.e,  M,  and  M,  be  two  structum  that  currt  spund.  I  ct  k  ><c  atln  ra  shin  jut  inula  ora  path  formula. 

/  el  v  be  a  path  in  M  shirting  with  s  and  it'  he  a  path  in  \f.  starting  with  s'.  If  there  is  a  partition  of  it 

(B  If  ...  )  and  a  partition  ofn'fB'  It'.  .  .  .  J  such  that  a:',  of  the  hiuck  s  are  finite  and  It  I  B',  for  all  j.  then 

s  f=  /?<=>  j'k=  k.  if'  h  is  .i  slate  formula  and 
77  /;  c=?  77 '  N=  if  A  is  a  paLh  formula. 

Proof:  Since  sc  It  and  s' i  IV  .  si  s'.  Wc  will  now  pro'. e  the  lemma  h>  induction  on  the  structure  of  h. 
Base:  h  -  I.  By  die  definition  of  s h=  A  <=>  s'  N  A. 

Induction:  There  are  several  cases. 

1.  h  -  —h,.  a  state  formula. 

jt=  h  <=>  h, 

=>  s'  M=  h  (induction  hypothesis) 

<=>  s'  N=  h 

The  same  reasoning  holds  if  h  is  a  path  formula. 

2.  h  =  hyh  a  state  formula. 

Without  loss  of  generality, 

^  =sNAi0r5t=/i2 
=>st=A: 

<=>  s'  b=  h  (induction  hypothesis) 

=»$'  NA 

Ihe  argument  is  the  same  in  the  other  direction.  We  can  also  use  this  argument  if  h  is  a  path 
formula. 

3.  h  =  K(  h),  a  state  formula. 

Suppose  that  jN  h.  Then  there  is  a  path,  v  =ss,s, .  . .  starting  with  s  such  that  7r]  N  h..  By 
l.cmma  1.  there  is  an  partition  of  this  path,  B  B2 . . . .  and  a  path  it',  in  3/,  with  a  partition, 

B[  B':  . . .  such  that  the  blocks  of  both  partitions  arc  finite  and  B  F.  B'}  for  all  j>  1.  So  by  the 
induction  hypothesis,  it,  1=  h.  <=>77'  h=/i,.  ITiereforc,  sN  E(A)  =»  s'  N  K(A).  We  can  use  the 
same  argument  in  the  other  direction,  so  the  lemma  holds. 

4.  h=h  where  h  is  a  path  formula  and  h  is  a  state  formula. 
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Although  the  lengths  of  h  and  h  are  the  same,  we  can  imagine  that  h  -  paihl'i  ).  where  path  is  an 
operator  which  converts  a  state  formula  into  a  path  formula.  Iherefore.  we  ate  simplify  mg  h  by 
dropping  this  path  operator.  So  now  : 

7T  I =  h  d  jN  h 

<=>  s'  h=  h  (induction  hypothesis) 
l  he  reverse  direction  is  similar. 

5.  h  =  h  l  /i,.  a  path  formula. 

Suppose  that  tt  1=  h  l  /p.  By  the  definition  of  die  until  operator,  there  is  a  A  such  that  vK  1=  A, 
and  for  all  0  <  /  <  A.  7r’N=  A  .  Suppose  that  v  is  in  block  //..  Hien.  7?  II,  _  ....  where  /A  is  the 
part  of  IS.  starting  with  sk.  is  a  partition  of  w  7  So  /?',  IS', ,  ...  is  the  partition  of  a  path  in  \l.  such 
that  IS  I'  IS',  is  true  for  ,.11  />  l.  Iherefore.  by  the  induction  hypothesis, 

IS',IS'^  ...  h=A, 

Now.  any  state  s'^  before  first! IS', )  on  the  path  7?' is  in  sonic  block  IS',.  i<  I.  If  IS'.  is  die  part  of  /?' 

starting  with  s'...  then  is  a  partition  of  it'  T  Also. /h/f^  ..  is  a  partition  of  a  suffix 

of  v  such  tli.it  IS  i'.  IS'  is  true  for  all  n  >  j.  Since  we  know  /  <  /,  we  know  that  tins  path  starts  with 

a  suite  before  r,,  so  B  IS  . .  .  N  h  .  Therefore.  b\  the  induction  hvpotJiesis. 

*}]*■■  ■ 

■n'm\=  h 

for  any  m  before  first!  A?/).  Iherefore  w'  N  h. 

\V  e  can  use  the  same  argument  in  the  other  direction.  □ 

4.  Applying  CTL*  to  Networks  of  Processes 

In  order  to  reason  about  networks  of  identical  processes,  we  need  to  be  able  to  distinguish  between  the 
atomic  propositions  of  the  different  processes.  Iherefore.  we  introduce  the  notion  o»"  /*;./<  ud  u/em.r 
propositions  such  that  A  is  the  value  of  proposition  A  in  process  /.  1  et  IP  be  a  set  of  proposition  names  which 

will  be  indexed  by  a  set  of  index  variables.  IS',  and  let  .!/'  be  a  set  of  atomic  propositions  as  before.  Ihe  logic 

•  • 

indexed  CT I.  is  an  extension  of  CTL  where 

•  A  is  a  suite  formula  if  A  c  IP  and  /e  IV. 

I 

•  If /is  a  state  formula  that  has  exactly  one  free  index  variable  i.  then  V  / is  a  suite  formula.  (Wc 

/ 

will  write/!/)  to  indicate  that  /has  a  free  index  variable  /.) 

Indexed  CM."  is  the  set  of  closed  suite  formulas  generated  by  these  rules  and  the  rules  in  Section  2. 


Wc  define  the  semantics  of  Indexed  C  I'l.  with  'v>pCvi  :>•  .1  street..:;  \f  -  I /'.  /<.  i.  .  >  *hcrc 

•  .i/5  is  the  set  of  atomic  formulas. 

•  IP  is  the  set  of  atomic  formulas  indexed  b>  '-ali.es  from  I 

•  /  is  the  set  of  index  values  (a  subset  of  IN). 

•  .S'  is  a  set  of  states. 

•  RCISxS  is  the  transition  relation. 

•  L:  S  —  fK  A P )u9( IPx I )  is  the  proposition  labeling.  We  a. II  write  1  instead  of  (  A.:). 

•  s  is  the  initial  state. 

o 

We  extend  the  relation  t=  to  deal  with  indexed  C I  I.  formulas  as  well: 

1.  jt=  A  <=>  A  €  L(s). 

2.  iN=V/(i)  <=>  there  exists  a  ce /such  that  rF=/(r). 

We  will  use  Aj\i)as  an  abbreviation  for  -V-/T/). 


Figure  4-1:  Example  to  Illustrate  Restrictions  on  1CTL 


Even  without  the  nexttime  operator,  this  logic  is  too  powerful:  b>  nesting  the  operators  A  and  V  it  might 
stili  be  possible  to  count  the  number  of  processes  m  a  concurrent  system.  Suppose  we  take  as  our  Knpke 
structure  the  global  state  graph  for  the  concurrent  program  in  Figure  4-1.  The  following  formula  sets  a  lower 
bound  on  the  number  of  processes: 

V(A  A  EF( D  A  V(.-f  EF (B  aVm,  . .  . ))))) 

i  >  i  j  *  * 

Once  B  becomes  true,  it  remains  true.  Therefore,  if  V.l,  is  true,  we  know  that  this  k  is  different  from  all  of 
'  * 

the  preceding  indices  mentioned  in  the  formula.  For  this  reason,  we  will  use  a  restricted  form  of  1CTL  .  The 


additional  restrictions  are: 


•  V /is  a  permissible  stale  formula  onk  if /does  not  contain  .tin  V  operators. 

•'  i 

•  g,  U  g,  is  a  permissible  path  formula  only  if  neither  g  nor  g,  contains  anv  V  operators. 

j 

in  practice,  main  of  the  most  interesting  properties  of  networks  of  identical  processes  can  be  expressed  in  the 

lestncted  logic.  One  impoitant  property  tltat  cannot  he  expressed  is  that  an  indexed  proposition  holds  for 

exactly  one  index  value,  since  this  involves  nesting  of  V  operators.  Nevertheless,  we  can  handle  such  a 

/ 

propertx  within  the  framework  that  we  have  developed  by  means  of  a  slight  extension  to  the  language  and  us 
semantics.  We  add  a  special  atomic  formula.  ©/’  to  .1/’ foreverv  /’in  //’.  I  he  proposition  labeling  is  then 
extended  as  follows:  © /’  e  JL(.v)  if  and  onlv  if  there  is  exactlv  one  ce  /  such  that  /'  cits).  In  the  remainder 

,  ‘  '  "  C 

of  the  paper,  we  will  refer  to  the  restricted  logic  with  tins  extension  as  IC II  unless  otherwise  stated. 

We  can  use  the  notion  of  correspondence  defined  in  Section  3  to  define  an  indexed  correspondence.  Since 
the  restrictions  to  IC  1 1  do  not  permit  tire  use  of  two  different  indices  w  ith  an  until  operator,  it  is  impossible 
to  refer  to  die  behavior  of  two  different  processes  along  a  specific  path.  I'hus.  the  notion  of  indexed 
.i  nespondence  between  structures  only  needs  to  refer  to  one  index  from  each  structure  at  a  time.  Because  of 
this,  we  will  define  a  set  of  correspondence  relations,  F  t.  that  relate  the  behavior  of  an  index  i  in  /  to  the 
hehav  ior  of  an  index  /'  in  / 

I  et  M  be  a  structure  and  i  be  an  index  value  from  /.  Ihe  reduction  uf.\l  to  /  (denoted  bv  ,l/|  )  is  a  structure 
identical  to  M  except  that  the  new  proposition  labeling  L/  is  defined  as  follows: 

=  A  Pa  .  1  e  U  v )  ( \j  {  1 1 . 1  €  IP  A ./  €  Jl(s )} 

In  other  words,  all  of  the  indexed  atomic  formulas  arc  omitted  except  those  that  arc  indexed  by  /. 

Now.  we  say  that  two  structures.  M  and  A/.  with  the  same  set  of  indexed  and  nonindexed  atomic  formulas, 

( :.P )  —  correspond  if  and  only  if  A/,|(  F.  We  will  write  this  as  M  /f ,  M 

We  can  prove  an  analogous  result  to  l  emma  1  for  ( u' ^corresponding  structures,  where  the  correspon¬ 
dence  between  states  is  now  an  (/./'^correspondence.  Using  this  result  wc  can  prove  the  following  lemma 
concerning  unquantified  formulas: 

Lemma  4:  l  et  M  and  3/  be  two  structures  that  (i.P  f  correspond.  let  h(i)  be  an  indexed  (  Tl.  formula 
Mithout  any  V  operators  and  Kith  one  free  index  variable.  Let  n  be  a  path  in  V  starting  Kith  s  and  m'  be  a 

I  1 

path  in  A/  starting  Kith  s'.  If  there  is  a  partition  of  i t  (11,  B. ... )  and  a  partition  of  tt'  ( IP.  IP.  . . .  )  such  that  all 
of  the  blocks  arc  finite  and  B^  E  ^  B'}  for  all  j  then 

sb=  //(/)<=»  s'  N  HP ).  if  h  is  a  state  formula  and 

w  1=  //(/)«  it'  1=  HP),  if  h  is  a  path  formula. 
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1  he  proof  follows  the  same  lines  as  the  proof  of  the  CTI.  correspondence  theorem  except  that  there  is  an 
extra  base  case  for  indexed  atomic  propositions.  Bv  the  definition  of  (/ •  '  (-correspondence.  vb=  .!  « 
s'  N  f  j  is  immediate. 

Using  tliis  lemma,  we  can  prove  the  major  result  of  tins  paper,  the  /f  77.*  correspondence  theorem’. 

Theorem  5:  Let  M  and  A/,  be  two  structures  and  IS  be  a  relation  our  I  x  /.  that  ts  total  for  both  I  and  /. .  If 
for  c\er\  (u'  )i.  IS.  the  two  structures  (u'  f  correspond.  thcnM  ,s0  1=  //«  \/.  v;  t=  h  for  even  l( TL  formula 
h. 


Proof:  We  prove  this  theorem  by  induction  on  die  structure  of  h.  Ihe  only  interesting  case  is  the  base  case, 

when  7i=  V h.(i).  If  s;,  t=  Vh  (i).  ihcn  there  is  some  i  such  that  s,j  h=  f  t  /  ).  Since  IS  is  total,  there  is  an  /' 

such  that  )e  IS.  Therefore,  since  M  and  \f  (/^'j-correspond.  l  emma  4  gives  N=  /;.(;'  ).  Ihcrcfore, 

si  N  V /;.(/).  Ilie  reverse  argument  is  similar. 
i  L 

Ihe  proof  of  the  remaining  cases  (->/i1  and  h  v h.)  arc  straight  forward.  Therefore,  tire  1CTI.’  correspon¬ 
dence  theorem  is  true.  □ 

5.  Distributed  Mutual  Exclusion  Example 

In  tins  section  we  illustrate  how  our  ideas  might  be  applied  to  die  distributed  mutual  exclusion  example 
mentioned  in  the  introduction.  We  assume  that  /-processes  arc  arranged  in  a  ring.  Hath  process  /*  is  always 
in  one  of  three  states:  A  neutral  state  (denoted  by  /i( ).  a  delay  suite  (denoted  by  ,7  ).  or  a  cntnal  state  (denoted 
by  c  ).  Exactly  one  process  will  have  die  token  at  any  goon  time;  if  process  /  has  the  token  diis  will  be 
denoted  by  'The  global  state  graph  for  the  case  of  two  processes  is  shown  in  Figure  5-1.  In  the  case  of  r>  2 
processes,  there  may  be  more  than  one  delayed  process.  Whenever  this  occurs,  the  process  /’  with  die  token 
should  eventually  give  die  token  to  the  closest  neighbor  to  its  left  that  is  in  a  delay  suite;  we  denote  die  closest 
neighbor  to  the  left  by  cln(i ).'  We  next  define  the  state  transition  graph  in  the  case  of  r  processes: 
a  -<AP.IP.I  ,S  .R  ,L  X>.  where 

r  r  r  r  r  u 

•  AP=0 


•  IP—  {d.c.nj} 


tl  is  assumed  that  the  token  will  be  transferred  through  consecutive  processes  from  /’.  to  /’ however  'he  exact  meihanom  of  this 
transfer  will  not  be  explicitly  represented  in  our  model  at  this  level  of  abstraction  thus,  the  ::.uisiei  at  the  toner,  or.lv  requires  one 
global  transition 


Figure  5-1:  1'wu  Process  Mutual  Exclusion  Example 


•/,=  {  1 . r} 

•  S={s\s=<D.N,T.C.O>}.  where 

o  £>  =  {i|sM d.} 
o  ,V=  { 1 1 5 N=  n A  ->/.} 
o  T=  {/|5l=  n  A  r} 
o  C={i'|s^=c.Ar} 
o  0=/r-(ZXjiVu7UC) 

We  will  refer  to  the  sets  A  A’,  7",  C  and  O  as  the  par/5  of  state  s. 

*  /?r={(j,i1)U=<AMr,c.o>Aj.=<Di,.v.ri,c,,oI>A 

[3/ [( €  ,v  a  =  £>u{  i }  a  yvt = a  -  {/ }  a  r  =  ta  c. = qv 
3/3y[/'€  A  A/'€  T\jC  A  t  —  cln(j)  A  D  =£>-{/}  A. V  =  A'U{/} 

1  i 

Af  =r-{y'}AC1  =  (C-{y})U{t}lv 
3/[/e  ta  a,  =  d  a  .Vj  =  .v  a  r  =  t-  { ; }  a  c  =  c'j{(  }]v 
3/[/eCAA  =  0A  A=AA  .V  =  ,V  a  T  =  7L'{; }  \C.  =  T- {/}])} 

In  the  first  transition  some  process  moves  from  its  neutral  state  to  us  Jeluv  state.  In  the  second 
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transition  a  token  is  transferred  from  a  process  /'  to  a  process  /’  where  .»  =  cart  / )  In  the  third  transition 
a  process  with  a  the  token  mores  from  its  neutral  state  to  its  critical  state.  In  the  last  transition  a  process 
with  a  token  mores  from  us  critical  state  to  its  neutral  state:  since  no  other  process  wants  the  token,  it 
remains  with  the  same  process. 

•  L s )  =  { 1/  ]  i  e  /)}  u  !  !  >  c  A } ■_  ! '/  /  ■  '•  i !  i  <  / !  t  e  ( } 

•  .5j  =  <0,{2 . r},{  1  },0  0> 

Ultimately,  we  want  to  establish  a  correspondence  between  the  mutual  excltisti  i;  procram  with  r  processes 
and  the  program  with  2  processes.  (It  is  impossible  to  establish  a  correspondence  between  the  r  pnxess 
rersion  and  the  one  process  since  no  process  can  enter  its  delay  state  m  the  one  process  rerston.)  It  is  easier  to 
prove  the  correctness  of  the  correspondence  if  we  first  show  that  certain  -anpic  invariants  hold  of  our  mutual 
exclusion  program: 

1.  I),  .V.  72  and  (  form  a  partition  of  /  i.e.  they  are  disjoint  and  ()  is  always  empty . 

2.  Once  a  prex'ess  has  requested  the  token,  it  will  not  stop  requesting  until  the  token  is  received. 

3.  Idi ere  is  exactly  one  process  with  the  token  at  any  time.  AG©/( 

To  establish  these  invariants,  it  is  sufficient  to  show  that  thev  hold  imuallv  in  vr  and  even  transition  in  R 

r 

preserves  them.  In  this  case,  the  proofs  are  trivial,  so  we  omit  them. 

The  state  transition  graph  given  above  is  not  a  Knpkc  structure  since  some  slates  may  not  have  any 
transitions  (i.e.  the  suite  where  all  processes  arc  delayed  and  no  process  has  tire  token).  I  low  ever,  if  we  restrict 
(7r  to  be  defined  over  the  set  of  suites  reachable  from  s'  we  do  obtain  a  Kripke  structure  which  we  denote  by 
AC  Since  we  have  shown  that  every  reachable  suite  has  a  process  with  the  token,  this  process  can  always 
transition  to  and  from  its  critical  section;  therefore  R  is  total. 

r 

Once  wc  have  csuiblishcd  the  correspondence  using  the  invariants,  we  can  apply  the  Cl  I  model  checking 
algorithm  [4]  to  the  two  process  mutual  exclusion  algorithm  in  order  to  establish  the  following  properties: 

1.  A  token  is  transferred  only  upon  request 

V  K  F(  (7  A  -1 1 .  A  F(  ->  </  A  -I  /l)  l .  D 

2.  Only  the  process  with  a  token  may  get  into  its  critical  state. 
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3.  Once  a  process  has  requested  the  token,  it  continues  to  request  the  token  until  the  token  is 
received. 

A.\(il,/=>  \[</l  7  ]) 

4.  1  vers  process  that  wants  to  enter  its  critical  state.  eventually  does. 

A  \G(</=»AKr() 

In  order  to  define  the  bisimulaiion  between  \l  and  M ,  we  must  first  deline  the  relation  /.VC/  x/  that 

r  -  —  i  r 

determines  the  correspondence  between  index  values  in  the  two  structures: 

/.V={l.l}U{<2.;)|/€/r-{l  }}. 

Next,  we  must  define  the  correspondence  between  states  /CC.V.xNxIN  for  every  (/./')  t  IS: 

1.  I  wo  states,  s  in  .)/,  and  s'  in  M  ,  (-correspond  if  /  is  in  the  same  part  of  v  as  /'  is  in  s'  and  if 
/  €  (  then  D  -  0  <=>  D'  =  0. 

2.  I  et  an  t-iJle  transition  be  a  transition  w  hich  does  not  have  any  effect  on  /.  i.c.  /  belongs  to  the  same 
part  of  the  suite  before  and  after  the  transition  and  if  /€  (  and  I)  is  empty .  then  I)  remains  empty. 

We  define  the  rank  of  s.  r(  w ).  to  be  the  maximal  number  of  consecutive  /-idle  transitions  possible 
from  s,  if  this  number  is  finite.  Otherwise,  the  rank  of  s  is  0.  flic  degree  of  the  correspondence 
between  s  and  s'  is  defined  to  be  r(.s./ )-f  r(s'j'). 

Note  that  the  only  case  in  which  the  number  of  consecutive  /-idle  transitions  from  s  is  infinite  is  when 
vf=  n  .  Also  note  that  if  s.  is  reachable  from  s  by  pursuing  .--idle  transitions  only  and  if  r(j./)^0.  then 
r(  v  / )  <  r(s.t  ). 

first,  we  show  how  to  compute  r(  s  [here  are  a  number  of  cases,  depending  on  which  part  of  the  suate  i 
is  in. 

1.  a  In  this  case,  there  are  an  infinite  number  of  consecutive  /-idle  transitions  starting  from  s,  so 
r(s.l)- 0. 

2.  ii  D  l  et  process  j  be  die  one  with  the  token,  (here  are  four  sources  of  .-idle  transitions  in  this 
case: 

a.  Processes  that  are  initially  neutral  may  become  delayed.  (fYj  transitions.) 

b.  Ihe  prtxess  with  the  token  may  enter  its  critical  section.  (|  F \  transitions.) 

c.  Ihe  token  may  be  transferred  to  a  delayed  process  between  /  and  ;.  Hj- Amod n-  1 
transitions.) 

d.  Ihe  prtxesses  that  gave  up  the  token  in  the  previous  step  may  become  delayed. 

( (7  —  /)  mod  -  1  transitions.) 


'therefore,  r(.v./)=|,V|  +  \  T\  +  2(j- /Imtxl n-2. 
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3.  i£  r.  I  he  i*nl>  .-idle  transitions  .ire  neutral  processes  becoming  delated.  So  M  s.i )  --  \  V  | 

4.  !  ( (  and  l)~0.  Since  all  transitions  either  mote  1  into  a  ditteient  part  ot'  the  state  or  add 
processes  to  I),  r(s.t)~  0. 

5.  ;  c  r  and  Df-  Q).  i  he  only  /-idle  transitions  are  neutral  processes  becoming  delayed.  I  herefore. 
r(s  i )-  |A/|. 


Now,  we  must  check  that  /.  is  a  correspondence  relation. 


Clause  (1):  Because  all  of  the  processes  are  neutral  in  the  initial  states  of  1/  and  \! r  and  pro.. ess  1  has  the 
token  in  each  initial  state,  these  suites  correspond  for  every  (/./' )  c  IS.  with  a  degree  k  --  r(  r  ./ )  -  n s'  i'  >. 


Clause  (la):  Immediately  from  the  definition  of  F  , .  for  every  two  states  so'  ’hat  l .  .'(-correspond  wit) 
an\  decree,  jf=  I  <=>  s'  1=  I  ,  for  every  .1  c  IP 

~  II 

C  lause  (2b):  Assume  si'.)/  s'  where  k  =  r( s.i )  -I-  r(s'.i' ).  There  are  fisc  cases,  one  for  each  of  the  clauses  in 
'Jie  definition  of  r(s.i).  We  check  he  first  two  cases;  he  others  arc  similar. 

1.  /€  .Yand  i' (.  S' . 

From  above.  r(s.i)  =  r( s'.i')  =  0.  so  A.  =  0.  From  s,  two  kinds  of  transitions  are  possible: 

a.  Process  ican  become  delayed  in  state  s  .  Since  i'  e  process  i'  can  also  become  delayed  in 
some  suite  T .  Ihcse  two  next  suites  arc  /  */  related,  since  n  /J,  and  i'  e  I)'. 

b.  Some  prtKCss  can  make  an  /-idle  transition  to  state  5 .  In  his  case,  some  process  in  tfrcan 
also  make  an  ; '-idle  transition  to  Since  ;  and  i'  arc  still  in  he  same  part,  these  two  next 
suites  are  I']/  related. 

Since  every  transition  from  s  has  a  corresponding  transition  from  s',  clause  (2b)  holds  in  his  case. 

2.  i  e  D  and  i'eD'. 

lhcrc  are  three  cases: 

a.  Some  process  can  make  an  r- idle  transition  to  a  suite  .y.  Since  /€/).,  s.i']/  s'  for 
r =  r(.v ./ )  -r  r(s'.i' ).  r(.v.i)  measures  the  maximum  possible  number  of  i-tdle  transitions 
from  v.  Because  an  t-idle  transition  from  s  has  been  made,  r(j.,/)<  r{s.i )  so  v  <  k.  so  clause 
(2b)  holds. 

b.  Process  i  receives  he  token  from  process;  and  process  i'  can  receive  he  token  from  process 
j'.  After  these  transitions,  both  ;  and  /'  are  in  C.  so  he  successor  states  correspond. 

c.  Process  I  receives  he  token  from  process  /.  but  process  i'  cannot  receive  he  token  from 
process /  (Fyt  c/»K;')).  Thus,  there  must  be  a  delayed  process  between  /  and  which  is 
he  closest  neighbor  of  /.  Ihereforc.  here  is  an  /'  idle  transition  in  which  his  closest 


.  ."..v.v  .  /■ 


- j ... i - 
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neighbor  reechos  the  token.  I  he  rCMilting  state,  s',  corresponds  to  s  with  degree 
i  -  r(  sa )  +  m'  i' ).  Since  an  idle  transition  from  s'  has  been  made. /(s'  /')<  r(s'.i')  so 
i  <  k.  so  clause  ( 2b)  holds. 

Clause  (2c):  is  proven  similarly  to  clause  (2b). 

Tins  completes  the  proof  of  the  bisimulation  of  \/  and  A/f. 

6.  Directions  For  Future  Research 

The  notion  of  bisimulation  introduced  in  Section  4  currently  requires  some  represention  for  die  global 
states  of  a  product  machine.  When  the  individual  processes  in  such  a  product  are  more  complicated  than  the 
ones  in  the  ring  network  example  of  Section  5.  it  may  be  difficult  to  find  such  a  representation.  Perhaps,  an 
appropriate  notion  of  bisimulation  can  be  found  that  applies  directly  to  the  individual  processes  rather  than  to 
the  global  suite  graph.  More  work  clearly  needs  to  be  done  on  this  problem.  Another  problem  concerns  the 
restriction  on  nesting  of  A  ‘s  and  V  s  given  in  Section  4.  We  showed  how  nesting  of  these  operators  could 

i  i 

be  used  to  count  the  number  of  processes  in  a  concurrent  program,  so  some  restriction  is  clearly  necessary. 
We  conjecture  that  with  formulas  having  at  most  k  operators  of  this  type,  it  is  impossible  to  distinguish 
between  programs  that  have  more  than  k  processes.  In  oilier  words,  if  f  is  a  formula  with  k  levels  of  A  and 

i 

V  operators  and  M  is  a  Kripkc  structure  obtained  as  a  product  of  n  identical  processes,  then  /w  ill  hold  in 
M  r  for  n  >  k  if  and  only  if  /holds  in  M  k.  It  is  easy  to  prove  this  result  when  die  product  of  the  individual 
processes  is  a  free  product,  i.e.  when  there  is  no  synchronization  between  the  individual  processes.  When  the 
processes  are  synchronized  die  conjecture  seems  much  more  difficult  to  prove,  however. 

We  would  like  to  acknow  ledge  Prasad  Sisda  s  insightful  comments  on  an  early  version  of  this  paper. 
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